1. What is this lab used for?
This lab is used to simulate a Security Operations Center (SOC)
using a SIEM tool like Splunk.
It allows you to:
- collect logs (Windows, Linux, network, etc.)
- analyze security events
- detect attacks (brute force, malware, intrusion, etc.)
- create automated alerts
- visualize activity using dashboards
In simple terms:
It is a real-time cybersecurity monitoring center.
2. Lab objectives
By the end of this lab, you should be able to:
- Install and configure Splunk
- Add data sources (logs)
- Search events using SPL (Splunk Search Processing Language)
- Build security dashboards
- Detect suspicious activity
- Create automated alerts
3. Tools used
1. Splunk Enterprise / Free
- main SIEM platform
- log analysis tool
2. Data sources
- Windows Event Logs
- Linux logs (auth.log, syslog)
- CSV log files
3. Web browser
- Splunk Web interface
4. Simulated attack data
- SSH brute force attempts
- Windows login failures
- suspicious network traffic
4. Splunk Interface (main tabs)
When you open Splunk Web, you will see the key tabs below:
1. Search & Reporting
Core feature of Splunk
Used for:
- searching logs
- filtering events
- writing SPL queries
Example:
```spl
index=main sourcetype=access_combined
```
2. Dashboards
Data visualization section
Used for:
- charts
- graphs
- security KPIs
Examples:
- failed login attempts
- suspicious IP addresses
3. Alerts
Automated detection system
Used for:
- real-time attack detection
- sending email/notifications
Example:
- more than 10 failed logins → ALERT
4. Data Inputs
Data ingestion section
Used for:
- uploading log files
- connecting Windows/Linux systems
- receiving real-time logs
5. Settings
Global configuration
Used for:
- managing indexes
- users and permissions
- data sources configuration
6. Apps
Extensions for Splunk
Used for:
- adding security modules
- enhancing SOC capabilities
5. Installation steps (click by click)
Step 1: Download Splunk
1. Go to Splunk official website
2. Download Splunk Enterprise (Free trial)
Step 2: Install Splunk
1. Run installer
2. Click Next → Next → Install
3. Wait for installation
4. Create admin account:
- username
- password
Step 3: Launch Splunk
1. Open browser
2. Go to:
```
http://localhost:8000
```
3. Log in
6. Adding data (logs)
Step 1: Go to Data Inputs
- click Settings
- then Data Inputs
Step 2: Choose data source
Options:
- Upload file
- Monitor folder
- TCP/UDP stream
Step 3: Import logs
- select log file
- choose index (main)
- confirm
7. Log analysis (Search)
Step 1: Open Search & Reporting
Step 2: Run queries
Brute force example:
```spl
index=main "failed login"
```
Linux SSH logs:
```spl
index=linux sourcetype=secure
```
Step 3: Filter results
- by IP address
- by user
- by time range
8. Creating dashboards
Step 1:
- go to Dashboards
- click New Dashboard
Step 2:
- name it “Security Monitoring”
Step 3:
- add panels
- use search queries
Examples:
- failed login count
- top attacking IPs
9. Creating alerts
Step 1:
- run a search query
Step 2:
- click Save As → Alert
Step 3:
- set condition:
- event count > 10
Step 4:
- choose action:
- email
- dashboard notification
10. Final lab result
At the end, you get:
- A working SIEM platform
- Centralized log collection
- Attack detection (brute force, anomalies)
- Security dashboards
- Automated SOC alerts
Simple summary
Splunk = SOC brain
Logs = raw data
Dashboards = visualization
Alerts = automatic detection
Search = investigation
Copyright © All rights reserved.